I've noticed that when using Contains in EF
.Where(i => myListOfStrings.Contains(i.Value))
The generated SQL looks like this
IN ('Value1', 'Value2')
Since the values are not parameterized, isn't it possible to inject some SQL?
It will not just mindlessly construct IN statement from your Contains
. At very least it will escape single quotes (by doubling them). Suppose you want to inject something like "') OR 1=1--" like suggested in comments, assuming that it will be converted to:
where ... IN ('') OR 1 = 1 -- the rest
But because single quotes are escaped that will be:
where ... IN (''') OR 1 = 1 --' -- the rest
So we are safe here, because your whole statement is treated as string.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With